Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-675 – data redacted while we work with the vendor on a patch.
- WAF-RULE-676 – data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 13 |
Patched | 82 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 2 |
Medium Severity | 82 |
High Severity | 7 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 30 |
Cross-Site Request Forgery (CSRF) | 21 |
Missing Authorization | 18 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
Information Exposure | 3 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
Deserialization of Untrusted Data | 2 |
Authorization Bypass Through User-Controlled Key | 2 |
Improper Access Control | 2 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Uncontrolled Resource Consumption (‘Resource Exhaustion’) | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Insecure Storage of Sensitive Information | 1 |
Incorrect Authorization | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Authorization | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Francesco Carlucci | 24 |
Lucio Sá | 10 |
Dhabaleshwar Das | 7 |
Webbernaut | 6 |
Dimas Maulana | 3 |
Ngô Thiên An (ancorn_) | 3 |
Krzysztof Zając | 3 |
beluga | 2 |
Sh | 2 |
Rhynorater | 2 |
kodaichodai | 2 |
Kyle Sanchez | 2 |
Felipe Restrepo Rodriguez (pfelilpe) | 2 |
István Márton (Wordfence Vulnerability Researcher) | 2 |
Rafie Muhammad | 2 |
Sean Murphy | 2 |
stealthcopter | 2 |
hir0ot | 1 |
Dave Jong | 1 |
Le Ngoc Anh | 1 |
villu164 | 1 |
Colin Xu | 1 |
Christian Angel | 1 |
LVT-tholv2k | 1 |
wesley (wcraft) | 1 |
Dmitrii Ignatyev | 1 |
Abu Hurayra (HurayraIIT) | 1 |
Muhammad Hassham Nagori | 1 |
Abdi Pranata | 1 |
Skalucy | 1 |
Pham Ho Anh Dung | 1 |
Savphill | 1 |
Scott Kingsley Clark | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
3D Tag Cloud | cardoza-3d-tag-cloud |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
Admin Menu Editor | admin-menu-editor |
Advanced Forms for ACF | advanced-forms |
All 404 Pages Redirect to Homepage | all-404-pages-redirect-to-homepage |
All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
Apollo13 Framework Extensions | apollo13-framework-extensions |
Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
Backuply – Backup, Restore, Migrate and Clone | backuply |
Basic Log Viewer | wpsimpletools-log-viewer |
Before After Image Slider WP | before-after-image-slider |
Buttons Shortcode and Widget | buttons-shortcode-and-widget |
Contact Form 7 Connector | ari-cf7-connector |
Content Cards | content-cards |
Coupon Referral Program | coupon-referral-program |
Custom Twitter Feeds – A Tweets Widget or X Feed Widget | custom-twitter-feeds |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Elementor Addon Elements | addon-elements-for-elementor-page-builder |
Elementor Addons by Livemesh | addons-for-elementor |
Elementor Website Builder – More than Just a Page Builder | elementor |
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin | wp-event-solution |
Honeypot for WP Comment | honeypot-for-wp-comment |
ImageRecycle pdf & image compression | imagerecycle-pdf-image-compression |
InfiniteWP Client | iwp-client |
Insert PHP Code Snippet | insert-php-code-snippet |
Internal Link Juicer: SEO Auto Linker for WordPress | internal-links |
Link Library | link-library |
Login Lockdown – Protect Login Form | login-lockdown |
Matomo Analytics – Ethical Stats. Powerful Insights. | matomo |
Meta Box – WordPress Custom Fields Framework | meta-box |
Minimal Coming Soon – Coming Soon Page | minimal-coming-soon-maintenance-mode |
My Calendar | my-calendar |
NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
PPWP – Password Protect Pages | password-protect-page |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Passster – Password Protect Pages and Content | content-protector |
Payment Forms for Paystack | payment-forms-for-paystack |
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress | contest-gallery |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
Podlove Subscribe button | podlove-subscribe-button |
Polls CP | cp-polls |
Portugal CTT Tracking for WooCommerce | portugal-ctt-tracking-woocommerce |
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) | bdthemes-prime-slider-lite |
Product Labels For Woocommerce (Sale Badges) | aco-product-labels-for-woocommerce |
Quiz Maker | quiz-maker |
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | wp-rss-aggregator |
Royal Elementor Addons and Templates | royal-elementor-addons |
Shariff Wrapper | shariff |
Shield Security – Smart Bot Blocking & Intrusion Prevention Security | wp-simple-firewall |
Simple Page Access Restriction | simple-page-access-restriction |
Starbox – the Author Box for Humans | starbox |
Themify Builder | themify-builder |
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) | timeline-widget-addon-for-elementor |
VK Poster Group | vk-poster-group |
WP 404 Auto Redirect to Similar Post | wp-404-auto-redirect-to-similar-post |
WP Booking Calendar | booking |
WP Club Manager – WordPress Sports Club Plugin | wp-club-manager |
WP Contact Form | wp-contact-form |
WP Recipe Maker | wp-recipe-maker |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
Wonder Slider Lite | wonderplugin-slider-lite |
Woocommerce Vietnam Checkout | woo-vietnam-checkout |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Blocksy | blocksy |
Royal Elementor Kit | royal-elementor-kit |
brooklyn | brooklyn |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Shield Security – Smart Bot Blocking & Intrusion Prevention Security
Source: wordfence.com